A critical privilege-escalation vulnerability could lead to backdoors for admin access nesting in web servers.

A popular WordPress SEO-optimization plugin, called All in One SEO, has a pair of security vulnerabilities that, when combined into an exploit chain, could leave website owners open to site takeover. The plugin is used by more than 3 million websites.

An attacker with an account with the site – such as a subscriber, shopping account holder or member – can take advantage of the holes, which are a privilege-escalation bug and an SQL-injection problem, according to researchers at Sucuri.

wordpress plugin zero day

“WordPress websites by default allow any user on the web to create an account,” researchers said in a posting on Wednesday. “By default, new accounts are ranked as subscriber and do not have any privileges other than writing comments. However, certain vulnerabilities, such as the ones just discovered, allow these subscriber users to have vastly more privileges than they were intended to have.”

The pair is ripe for easy exploitation, according to Sucuri, so users should upgrade to the patched version, v. 4.1.5.3. Marc Montpas, a security researcher at Automattic,  was credited with finding the bugs.

Privilege Escalation and SQL Injection

WordPress – Security Tips – How to outsmart hackers: A step-by-step guide